Time
13 hours 9 minutes
Difficulty
Intermediate
CEU/CPE
13

Video Transcription

00:00
hello and welcome to another penetration testing execution standards discussion. Today, we're going to be looking at the dreaded payment terms. I know that no one typically likes to discuss money, especially if you're just wanting to focus on penetration, testing and things of that nature. But it's very important
00:19
toe. Understand how payment terms work into your overall model?
00:23
A CZ. Well, as even if you're not the primary party that's concerned with funds and things of that nature,
00:30
you may at times have clients that have questions or that have issues, or that one of better understand why some things were done one way over another, and it's just good to be informed on the general language that could be involved there
00:44
now. The quick disclaimer we have for the day, of course, is that our videos do cover some tools that could be used for system hacking. When we do discuss such tools or demonstrate those tools, you should research them and understand how they work and what they are doing when you use them.
01:02
Please ensure that you research any laws and regulations in your given area for the use of the tools
01:07
again, depending on the area, whether you're in AA U. S based company or your base somewhere else overseas, that can determine the impact in use of tools in your testing methodology.
01:19
So let's go ahead and look at our objectives for the day.
01:23
So
01:23
what we want to start with is a quick discussion on what payment terms are and some common language associated with those terms. We want to discuss some best practices on how payments and those discussions should be approached. We're going to discuss Net 30 half up front and re occurring payment methodologies again.
01:44
These are just some industry terms.
01:46
Uh, anything that you come to an agreement with with respect to your client and how you'll accept payment or how that payment is accepted. If it's outside of your arena may differ than what has provided here. It could be a hybrid of these methodologies. It could be none of them. So let's go ahead and jump into what our payment terms
02:05
now.
02:06
Payment terms are essentially the language
02:08
under which a vendor or contractor completes a sale. So that's the key word that completes a cell or the conditions under which payment is due. So there's there's kind of two things going on here.
02:21
One is, when is the work done?
02:24
When is it considered complete? And so that is going to be key in your contract in your scope of work and having those due dates and deadlines and drop dead dates?
02:35
And then the conditions under which payment is due means that it could be 15 days after the work is completed 30 days immediately after delivery of the final report.
02:46
Half could be due up front. We're gonna talk about each of those things on and how those look in just some basic pros and cons. Fridge. So information with payment terms should include conditions that should be met. So meaning
03:00
that I'm the tester or I, the consulting organization will have completed a final report and have delivered it to the executive team of the business dates. That payment is due, so depending on the payment schedule,
03:15
this could be again that half is due up front and we'll talk about that,
03:20
and then the remainder of that is due. Upon completion of the work, it could be that 100% of that is due after
03:28
a certain period of time any applicable discounts Now. The reason. I prefer to lay out the full price
03:38
and then autumn eyes discounts and do things of that nature
03:40
is so that if you have a client that you do re occurring business with, let's say and you provide them with a discount because of that customer loyalty client loyalty,
03:51
it's good for them to see over time if that discount increases up to a certain threshold. If you went into negotiations with a new client and you provided the discount, it's good to show what the original estimate was and what you came down to
04:09
because then one that provides some transparency
04:13
and to the client is aware that they're saving money. If you were to on the back end and I've seen this before, let's just say provided discount and the final estimate is $4000 U. S.
04:26
Well,
04:27
the problem with that is is that if the original price point was eight and you've provided up to a 50% discount, because let's just say a member of your your sales team said that they think they can get additional re a crane business or whatever the cost may be they're the reason, maybe, Or they've had discussions with the client,
04:44
and the client's indicated that, you know, they've seen other firms that are providing,
04:47
you know, this particular rate, and so we wanted to match that. But we didn't know. You know what work was involved in that reduce rate? Howthe scope looked any of those things?
04:57
It's good to have that discount there,
05:00
because then the client does see that you had a rate that was much higher than that. And you, you've come down from there.
05:08
And to me, it just, you know, provide some transparency so that if your two rolls around, they may be your three. They come back and want some work done there, an existing customer being that you've done work for them before you charge them. Let's just say 4800 instead of 4000 and they go, Hey,
05:26
the last time you did this work, it was much cheaper.
05:28
Why has it gone up? Why is this Okay? Well, let's have a look. Well, I can see that they gave you a discount. I can see this is why they did it.
05:34
In this particular instance, we weren't matching you know that price from last time, and there's additional work within the scope that has to be done. So we're still giving you a discount because you're an existing customer, but it has to go up because of these circumstances. If you don't include that information for discounts
05:51
and you come back two or three years later,
05:54
it could be confusing and hard to remember on Dhe. Then it is good to mention any expenses that would not be covered under the payment then. The reason for that is if you're not doing hourly rate, if you do fixed feet,
06:06
which we talked about in an earlier discussion,
06:10
and
06:12
you end up having to, let's say and mileage as an expense, let's say you have to stay out of town for a night and a hotel room is an expense. Mills or expenses. None of that's covered under the fixed fee fee payment. Let's say for the contract that could be
06:28
confusing. That could be, you know, Hey, why didn't you tell me? I didn't see anything explicitly that indicated these things were covered.
06:34
And so I'm a fan of any expenses that are not covered by the agreed upon fixed fee that you itemize those in like a bullet list, and you lay out each kind of category of thing that would not be covered by that fee.
06:50
And then you bowled it and make sure that your client is well aware that that way, if an expense comes up, if something happens, it doesn't catch them off guard. And so,
07:00
really, if you're doing fixed, you contrive to make estimates for those things if you're scoping accordingly. But sometimes you can't take into account a surprise or on accounted for circumstance. And so
07:12
it is good to add maybe some language in there that itemizes something's it may not be covered.
07:18
So the first hardest part of any engagement in my mind, especially if you're the individual that has the role of disgusting payment with a client,
07:29
is terms of payment in the amount of payment is a factor that should be determined, of course, by yourself, the provider of the service
07:35
in negotiation with the client. If you have that ability,
07:39
the biggest things that we want to remember here is, you know, industry standard, for for what it cost to have a penetration test done varies by organization, by region, by location. By overhead. The
07:54
organization really puts the price point out there based on what it is that they see as faras overhead and things of that nature and what they have to do to keep the doors open.
08:05
And that differs from organization organization. So really,
08:09
without discussing what should be charged in what will be charged, some of the best practices that come to mind are being transparent. So
08:16
making sure that you are again clear with what expenses aren't are not covered. Be clear in payment terms be clear and why it may cost more than another firm or why it costs less than another firm. Be ready to evaluate scoops of work. Be ready to provide an explanation on why things are the way they are.
08:37
If you have a client
08:39
that is in front of you and they just want to take the cheapest rate,
08:43
then there's got to be something else, too, that there's gotta be a reason that they're looking for the lowest
08:48
amount to pay their and so understanding that, and asking those questions can help you understand
08:56
if your organization is a good fit for providing whatever it is that they're trying to get
09:01
into if they only want something done for compliance. Purpose is to check a box, and there's very specific things that they need done. And it's really not full spectrum as faras standard penetration test.
09:11
Wow,
09:13
I personally disagree with doing something that is not on par with best practice. I also understand that sometimes businesses just want to do what they need to do to be compliant as long as it doesn't violate any ethical standards, and as long as you provide work that is on par with those requirements,
09:31
then that would be a determination to be made by the the testing organization or the organization providing the service.
09:39
But being transparent up front will at least get you in the door, and hopefully, you know, help you to understand what the client is looking for. And then you have to be patient. Right now. I know that some folks are in for the quick cell and they want to get the work done ASAP. And really, it's just all about the numbers.
09:58
But a lot of times, if you have a savvy consumer, they're going to shop you. They're going to look at other organizations unless you come with a gold stamp recommendation from trusted advisors.
10:09
If you're a new business that they're working with, it's likely that they're going to shop, ask questions and do some things of that nature. So being patient, especially when it comes to dealing with money and large sums of it,
10:22
it's beneficial. And it'll help in the long term.
10:24
Get all terms in writing that is huge. Do not,
10:30
you know, settle things on a handshake with respect to discounts. Don't settle things on price with a handshake, maybe verbally. Okay, but if you're not the one that's ultimately writing the contract, if you're not the one that's ultimately writing the scope of service, if you're not the one that's ultimately writing the estimate and you don't own the organization, it's not really fair
10:50
to put them in a position where you agreed to something that you had no ability to agree to.
10:56
And so getting all things in terms that both parties can commit to and can make meat is going to be great when discussing payment, and then both parties should have no questions.
11:07
Now that may sound counterintuitive. It may sound like that could be, you know, very tenuous process. But
11:15
if either party walks away from the discussion confused or with questions
11:20
on payment term and on how that's going to be achieved, then it's best that you continue the conversation until both parties were satisfied with the outcome in the result.
11:28
Now, on the business side, if you are the business owner and you're seeking to do a penetration test
11:35
again, be transparent on what you're looking to get and what you're looking to pay for. Be patient again. We as, AH, subject matter. Experts are seeking to understand your specific need and provide you with feedback.
11:50
Get everything in writing that helps you as well as the tester, and both parties again should have no questions. And so you should feel comfortable about what you're receiving. Understand payment terms and things of that nature, and I really feel good about what it is that you're doing.
12:05
Now let's talk about one of the three categories of payment terms that we discussed in the objectives, and so Net 30 terms are really known as Net D, which is kind of just number of days and is often viewed as a trade credit in which a specific amount is expected to be paid
12:24
in full by the client within a specific period, typically 10 15 30 or 60 days after service completion. Now,
12:33
this
12:35
10 15 30 60 days, you could do 90. You can do as many days as you want to do. It really just depends on the organization
12:43
and your model.
12:45
Some pros here, it does provide some flexibility for the client
12:48
and you, as the testing firm,
12:52
could potentially offer discount for early payment. So let's say that your overall testing fees and what not come out to 5000 even
13:01
and Oh, by the way, if you pay, um, us
13:05
20 days before the net 30 or, you know, if you pay us 10 days and if you pay us 30 days into the net, 60 will provide you with a 15% discount.
13:16
Okay, that could be an incentive for making the payment. You know, essentially, we're giving you an interest free loan by allowing you the 30 or 60 days toe to make the payment.
13:28
But on top of that, if you pay early, we're offering a discount, so that could be beneficial, but it's not something that you have to do in all cases as well. I know a lot of firms typically offer discounts already, and, you know, so it may not be beneficial. Some cons s o the client, and I'm not speaking ill of anybody, but a client can wait until the end of the period to provide
13:48
payment up to the day of so up. Two days, zero
13:52
we can provide payment. And so that if you have incurred again,
13:58
uh, expenses and things of that nature,
14:01
it could make it difficult.
14:03
So and then the other side of this is that
14:07
we can wait. The client can wait until the end of the period to dispute payment and further increased timeto payment as well. And so again, I'm not saying that this is the standard. I'm not saying that this is every organization out there. I'm just saying that we've dealt with organizations before
14:24
that don't have
14:28
a good business ethic. I'm not speaking about any particular organization that I've ever worked with. I've just heard some stories
14:35
and they'll wait until the day that payments due and get a reminder invoice, or they'll get some kind of feedback from the accounting department that hang. You know what we were expecting? Your Net 30 is Do. Where's that at? Oh, well, you know, I sit down with the team, we reviewed the work, and we have some concerns
14:54
that need to be addressed before we feel it's right for us to disperse payment.
14:58
And now this drags out for another week or two weeks or whatever the case may be. And so, you know, that could be a downside for Net 30.
15:05
And then, um, nothing is provided up front to cover tester payment or expenses. And so, you know, if you're a consultant that runs a business, let's just say you're a business owner that does consulting. Um,
15:20
you know, you still have to provide payment to the tester. You still have to take care of expenses. You don't have to do overhead and all those things.
15:28
And so if your net 30 your bills are due at the end of the either at the end of the that are the beginning, depending on how you structure your payment terms.
15:37
And so
15:39
if you're in a period where you know everything is, do all the overheads do all the payments, do all the expenses or do, and that net 30 net 15 that sixties not coming in.
15:48
That puts you in a position where you may have to take out, um,
15:52
some additional funds to take care of payment. You may have to stretch out time that it takes for you to pay things, and so again, it's a It's a juggling act. It's a balancing act, you know, if you've got separate departments that handle accounting, some that handle
16:06
Bill in some that handle testing and they're all managed separately, and whatever the case may be, it may not be your day to day concern,
16:14
but I can assure you that this is definitely something that would come up in these types of arrangements.
16:19
All right, everybody. So in summary today, we discussed what payment terms are. We discussed how payment discussed and should be approached, and we started to look at different payment types such as Net 30. So with that in mind, I want to thank you for your time today, and I look forward to seeing you again soon

Up Next

Penetration Testing Execution Standard (PTES)

In this course we will lay out the Penetration Testing Execution Standard (PTES) in all its phases and their application for business leaders and Security Professionals alike.

Instructed By

Instructor Profile Image
Robert Smith
Director of Security Services at Corsica
Instructor